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(54) Controlling access to services between ntochtlar appRcolloiis 



(57) The present invention provides a method arwi 
an apparatus for providing a first computer program 
module (122) with the atxlity to access a service from a 
second computer program module (112). The mettiod 
includes receiving the first corrputer program module 
(12) for example, at a third party computer system 
(140), and d^rmining whe^ier ti>e first computer pro- 
^mm moc&jJe tas been digitally s^ed an auttx>rity 
(204) fiaikfing power to confer acce^ tor the service. If 
ea metvad proves the Ursi computer pnogram 
module (1^ wQh 3g@^ to the ^vtee. A ^teiton on 
this ejrtbocfiin^tt includes verifying 0i8 first compu- 
ter program n^dMle (1$^) includes a chain of certifi- 
ed^ eeiabist^ng a ^atn c/l au^orlsaiton for the 
service. This \^'^toatoi process tncfa^ides veiiKying tftat 
a first cerp^te in tfie chain is signed by an en^ (400) 
that is ortginatty auffiorised to confer access for the 
s&vice, and verifying that subsequent certificates in the 
chain are signed by enSties (430/^) ttat have been 
delected autiimsation to conler aoc^s for the service. 
In a furtiier variaton on the above embodim^n, the act 
of provicBng ^e first conrtputer program rrKXiule with 
access to the service, includes providing tfie first com- 
pute program module (122) with a |:>ermit that allows 
the first computer program mocfaile (122) to perform a 
restricted set of operations on the service. 
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Description 
BACKGROUND 

[0001] The present invention relates to protection 
mechanisms in computer systems. More specifically, 
the present invention relates to a method and an appa- 
ratus for controlling access to services. 
[0002] Programming languages such as the Java^ 
programming language (developed by SUN Microsys- 
tems, Inc. of Palo Alto. California) and associated sup- 
porting interfaces presently provide a reliable and 
secure infrastructure to support the transfer of an appli- 
cation across a computer network, and to run the appli- 
cation on a wide range of computing platforms. 
Because of developments such as Java, tt is becoming 
increasingly comnfK)n to load an application, such as a 
Java applet, from a remote server onto a local machine, 
and to execute the application on the local machine. 
[0003] However, present confuting systems are not 
designed to allow computer applications from different 
vendCM^s to interact with each other in a controlled way 
so that the applications can work together to accomplish 
a given task. In particular, these systems do not facili- 
tate sharing of data and functions. For example, it may 
be useful for a tax application to access capital gains 
information from a home brokerage application. How- 
ever, the home brokerage application needs to protect 
the privacy of the customer's portfolio. Hence, the tax 
application cannot be given unrestricted access portfo- 
lio data from the home brokerage application. 
[0004] Adcfitionally. software vendors may want to 
enforce contractual arrangements between cornple- 
mentary applications. For example, a home brokerage 
application may want to tap into historical pricing infor- 
mation supplied by an applicatwn from a financial insti- 
tution. This arrangement would be facilitated if the 
vendor of the home brokerage application would estab- 
lish a contractual anangemerrt with the financial institu- 
tion that allows the home brokerage application to 
access the historical pricing information. 
[0005] Unfortunately, present computing systems lack 
any mecftanism for facilitating and controlling access to 
services provided by other applications. In particular, 
with present systems it is not possible to identify appli- 
catior^ that have been granted rights to access serv- 
ices from other applications, nor to control what 
services a givw application can have performed. 

SUAAIMARY 

[0006] The present invention provides a method and 
an apparatus for providing a first computer program 
nrK>dule with the ability to access a service from a sec- 
ond computer program module. The method includes 
receiving the first conputer program nrxxlule - for 
example, at a third party computer system, and deter- 
mining whether the first computer program module has 



been digitally signed by an authority having power to 
confer access for the service.Jf so. the method provides 
the first computer program module with access to the 
service. A variation on this embodiment includes verrfy- 

5 ing that the first computer program module includes a 
chain of certificates establishing a chain of authorization 
for the service. This verification process includes verify- 
ing that a first certificate in the chain is signed by an 
entity that is originally authorized to confer access for 

10 tiie service, and verifying tiiat subsequent certificates in 
the chain are signed by entities that have been dele- 
gated authorization to confer access for the service. 
[0007] In a further variation on the at>ove embodiment, 
the act of providing the first computer program module 

IS witii access to the sen/ice. includes providing the first 
computer program module with a permit that albws the 
first computer program module to perform a restricted 
set of operations on the service. 
[0008] In anotiier variation on the above embodiment, 

20 tiie first computer program module and the second 
computer program module can interact witii each other 
on a tiiird party computer system. In this case, tine first 
computer program module is transfenred from a first 
server to the tNrd party syistem, and the second compu- 

25 ter program module is transferred from a second server 
to the tiiird party system. This allows tine first computer 
program oKKlule and the second computer program 
module to interact with each other on the third party sys- 
tem. 

30 

BRIEF DESCRIPTION OF THE RGURES 
[0009] 

35 FIG. 1 illustrates a number of computer nodes cou- 
pled together through a network 130 in accordance 
with an errdsodiment of the present invention. 
FIG. 2 illustiates the process of receiving access to 
a service in accordance witii an embodiment of the 
40 present invention, 

FIG. 3 illustrates part of the structure of client code 
module 122 from FIG. 1 in accordance with an 
embodiment of tiie present invention. 
FIG. 4 illustrates how autiiority to access a service 
45 is fansferred between different ^rtities using a 
chain of certificates in accordance with an embodi- 
ment of the present invention. 
FIG. 5 is a flow chart illustrating how autiiorization 
to access a service is propagated, and is ultimately 
50 used gain access to the service, in accordance with 
an embodiment of the present inverttion. 

DETAILED DESCRIPTION 

55 [0010] The following description is presented to ena- 
ble any person skilled in the art to make and use the 
invention, and is provkled in the context of a particular 
application and its requirements. Various modifications 
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to the disclosed embodiments will bisiVeadify apparent to 
those sfdiled in the art, and the general prtnciptes 
defined herein may be appH^ to other embodiments 
and appRcattons without depaVting from the spirit and 
scope of the present invsition. Thus, the present inven- 5 
tion is not intended to be limited to the embodiments 
shown, but is to be aocorded the widest scope consist- 
ent with the principles and features disdosed herein. 
[001 1 ] For purposes of this detailed disclosure tlie fol- 
lowing terminology is used. (1) A "Java Archive fiie" can 10 
be a fiie containing modular bodies of Java^ code in 
addition to r^ources. such as graphics or audio files. 
(2) A "computer readable storage medium" can be any 
device or medium that can store code and/or data for 
use by a conputer system. This includes, but is not lim- is 
ited to. magnetic and optical storage devices such as 
disk drives, magnetic t^e. CDs (compact discs) and 
DVDs (d^ftal video 6iscs), or altemativ^y, computer 
instruction signals embodied in a carrier wave. (3) A 
"compute program nruxiule** can be a nrnxkile inducing 20 
a collectim of instructions that can be executed by a 
oompi^r. These instructons may comprise an en^e 
computer program; or merely a piece of a compter pro- 
^m. A computer p^gmm mockfle often exists rn a 
form that fediltet^ dcwntoaiftig onto a conripater sys- '2S 
tern across a computer network. For exampISp a compu- 
ter prc^ram module may tsA^e the fbrni d a Java^ 
Applet. (4) An "er^ity" canine a hiBmn being, a compu- 
ter program or a computer system, ttat has ^e power to 
confer access rights lor a service, and optbns^y the so 
ability to delegate such power to. other entities. (5) A 
"service" can indude a sin^e service or a pliorality of 
services. Therefwe. the act of conferring access for a 
service can also corner access to a plurality of services. 

35 

Cognptiter System 

[0012] IHG. 1 illustrates a nun^^er of computer nodes 
couf^ed tc^eett^ through a network 1^ in accordm:e 
wi9i an embodiment Of tie present aivention. In FIQ. 1. 
servers 110 and 120 are coupled to third party system 
140 through network 130. A con^puter rrode can be any 
compt^on device that can be coupled to a computer 
' netw^ic A oompi^r node may indiKle. but Is not lim- 
ited to. a paional computer, a w(»rkstati<n. a rrain- 
frame comiAiter. a pcrtadbile computer or a devk:e 
controller. Network 130 ^erally r^ers to any type of 
wire or wir^ess Hnk between (x>nnputers. inctudtng. but 
not fimited to. a local area netwcxk. a wkie ar^ network, 
or a con^rtation of networks. lnoneenrtf>otgmentofthe 
present Invention, network 130 incliKfes the Intemet 
Servers 110 and 120 can be any nodes on a computer 
network inducing a mecf^iism for servicing requests 
from a client for computational or data storage 
resources. Third party system 140 rr»y be any node a 
conputer network communicating with servers 110 and 
120 that is at>le to download code and/or date from 
senders 1 10 and 120. 



[0013] In the embodiment illustrated in FIG. 1. server 
1 10 contains server code module 112, and server 120 
contains client code module 122. For purposes of this 
detailed disdosure. a server code module is a module 
including code that provide a service to a client code 
module, and a client code module is a module including 
code that requests a service from a server code rrtod- 
ule. Server code module 112 and client code module 
122 indude modular pieces of code that can operate 
togelher on third party system 1 40. The dashed lines on 
FIQ. 1 represent server code moclule 112 and dient 
code nrKxjule 122 being downloaded onto third party 
sy^m 140 across network 130. This ctewnloading 
process can take place in a ruimber of ways. In one 
emft»xiiment of the present inverrtion. s^er 110 
indudes a web site that can be accessed by a user on 
third party system 140 to dowr^oad server code module 
112 onto tNrd party system 140. Correspondingly, 
server 120 includes a web site tf^t can be accessed by 
a user on third party system 140 to downbad dient 
code module 122 irtto third party system 140. In another 
enrd:>odiment. server code module 112 and dient code 
nrKxiule 122 are not downk^ed aooss network 130. 
Instead, th^ are ti^^^^red from servers 110 and 120. 
respedively. to third party sy^m 140 by way of compu- 
ter storage rrtedia. sudi as a omiputer disk. 
[0014] Once server oode module 112 and dient code 
modito 122 ^ k>C£^ on Wid party sy^m 140. they 
can be integrate to work together as is illustrated in 
FIG. 1 . For example, in provicfing a s^ce to cfienl code 
module 122. server code module 112 might retrieve 
data from a database for cfiertf oode module 122. Alti^- 
natfvely. server code rrvxhjle 112 might perform a com- 
putatorial operation for dient rade nnodule 122. JMs 
intention process may involve delerminkig wfiether 
dient code moc&fle 122 has been conferred the ri^t to 



access services from server code rmdule 112. In th 
reverse direction, this process nrtay invdve determining 
whe^er server code nrtodiie 112 hm be&i ooniecred 
40 the right to access services from dient code nnodul 
122. 

Access ttftodei 

45 [0015] FIG. 2 iliu^rates the process of accessing a 
senrice in accordance with an embodinrt^ of the 
present inventk>n. FIG. 2 itiustrates tnteracticm 
between server gate 202. system 204 and dient code 
module 122 (from FIG. 1). Server gate 202 includes an 
50 access ma:hanism that consols acrcss to services pro- 
vided by server code nrtodi^ 1 12 (from FIG. 1). In one 
embodiment of the present invention, server gate 202 is 
located within server code rrmlule 112 on third party 
system 140. In another ^ntxxliment, server gate 202 is 
55 located within server 110 its^. and is accessed via 
communications across network 130. System 204 
indudes a mechanism for establishing that dient code 
module 122 is properiy authorized to access services 
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provided by server code module 112. To this end. sys- 
tem 204 is Inrplemented in a number of ways. In one 
embodiment, system 204 is implemented by cx>de that 
is part of third party system 140. In another embodi- 
ment, system 204 may be implemerrted as part of 
server code module 1 12 within third party system 140. 
[0016] The process illustrated in FIG. 2 operates as 
follows. Client code module 122 is assumed to already 
exist within third party system 140. In order to access a 
desired service, client code module 122 requests a 
"ticket" for a Vole** to access a collection of services 
from server code module 112. (For purposes of this 
detailed disclosure, a ticket is an object that , cannot be 
forged that indicates that the holder of the object has 
been signed to use certain services.) A role defines a 
set of operations to be performed by server code mod- 
ule 1 12. Certain roles may be more limited than other 
roles. For example, if server code module 1 1 2 maintains 
a connputer file system, one role may include only the 
operation of reading a file from the file system. Another 
more powerful role may include the operations of read- 
ing, writing and deleting files from the file system. 
[0017] In response to the request, system 204 exam- 
ines client code module 122 to determine if client code 
nnodule 122 includes proper authorization for the role. In 
one embodimertt of the present invention, this examina- 
tion Includes examining a certificate chain 310 (illus- 
trated in FIG. 3) to ensure that certificate chain 310 has 
been properly signed by a chain of authorities. This 
process is described in more detail below with reference 
to FIGs- 3-5. 

[001 8] If client code module 1 22 is properly authorized 
for the role, system 204 Issues a ticket for the role, and 
this ticket is given to client code module 122. Next, client 
code module 122 passes the ticket to server gate 202. 
Server gate 202 checks the ticket to ensure that the 
ticket Is valid. If it is valid, sender gate 202 sends a per- 
mit for the service to client code module 122. (For pur- 
poses of this detailed description, a permit is a proxy or 
a capability giving a holder of the permit access to a 
service or a group of services.) This permit allows client 
code nxxiule 122 to access the services defined by the 
role. In one embodiment of the present invention, this 
permit is an object d^lned within an object-oriented 
programming system. This object allows client code 
module 122 to perform a set of methods that comprise 
the role. After the permit is serrt. server gate 202 Invali- 
dates the ticket, so that It cannot be used again. Since 
client code module 122 remains in possession of the 
permit, client code nrtodule 122 vyill be able to access 
services using the permit, and hence, no longer needs 
the ticket. 

Client Code Moduie 

[0019] FIG. 3 illi^trates part of the structure of client 
code module 122 from FIG. 1 In accordance wttfi an 
emtxxJIment of the present Invention. Client code mod- 



ule 122 includes certificate chain 310 and client code 
320. Certificate chain 310 includes a chain of certifi- 
cates that establishes a chain of authorization for the 
service. The first certificate in the chain is signed by an 

5 entity that is originally autiiorized to confer access for 
the service, and subsequent certificates in the chain are 
signed by entities that have been delegated authoriza- 
tion to confer access for the service from preceding enti- 
ties In the chain. 

10 [0020] For purposes of this detailed disclosure, a cer- 
tificate is a signed electronic document that certifies that 
something Is true. A certificate typically indicates that 
someone has ownership of a public key. In tiie present 
invention, a certificate can indicate that an entity can 

15 have access to services represented by a key A certifi- 
cate may include the identity of a signing authority as 
well as a digital signature produced with a private key 
(that can be valkJated with a corresponding public key). 
For example, one certificate format is defined under the 

20 X.509 standard. 

[0021] For purposes of tiiis detailed disclosure, a dig- 
ital signature is a value derived from a file using a seaet 
such tiiat it can be demonstrated that the value was 
derived using the secret, wherein the secret is known 

25 only to the signer. A digital signature may take the form 
of a message digest produced by the key and appended 
to tine file, or may take the form of a transformation of 
data within the file using the key. A digital signature may 
also take the form of a message digest encrypted by the 

30 private key of a public key private key cryptography sys- 
tem. 

[0022] For example, in the IlkJSb-ated embodiment cer- 
tificate chain 310 includes certificate-1 312. certificate-2 
314 and certificate-N 316. A server code owner initially 
55 starts with a private key zero. In order to pass along 
authority for a role, the server code owner generates a 
certificate-1 312 and an associated public key private 
key pair, the private k^ being private key on& The 
server code owner signs certificate-1 312 with private 
40 key zero and passes certificate- 1 312 along with the 
corresponding private key one to a first intermediary. 
The first intermediary generates certificate-2 314 along 
with a corresporrdlng public key private key pair, includ- 
ing private key two. The first intermediary signs certifi- 
es cate-2 314 with private key one and p^ses certif lcate-2 
314. along with the associated private key two and all 
previous certtficates In the chain, to a following interme- 
diary. This pattern continues up tiie chain until a final 
Intermediary signs certificate-N 316 with private key N- 
50 1 and passes the certificate-N 316, along with corre- 
sponding private key N and all previous certificates in 
the chain, to a client code owner. The client code owner 
uses private key N to sign client code 320, and then 
generates client code module 122. which indudes cer- 
55 tiflcate chain 310 and client code 320. 

[0023] Hence, client code module 1 22 includes a ver- 
ifiable chain of certificates 310 signed by intermediaries 
from the server code owner to tiie ultimate client code 
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owner. Certificate chain 310 can be verified by using the 
public keys to verify tiiat certificates in the. chain are 
properly signed v«th their corresponding private keys. 

DeteQatfon of Autheiiiy 

[0(^4] FIG. 4 illustrates how authority to access a 
serm:e is delegated between different entttes using a 
chain of certificates in accordance with an embodiment 
of the present inventk»i. In this example, server com- 
pany 400 delegates authority to access data associated 
with a server code modute. such as server code module 
112 in FIG. 1. This server code module is distributed to 
various tNrd party systems, and can interact with prop- 
erly authcmz^ client code modules on these third party 
systems. AltematK/ety. the server code module can 
interact with cfrent codes nrnxlules on computer systems 
Ijelong^g to either server company 400 or to the own- 
ers of the cHent code nrKxiules. 

[0025] In the example illustrated in FIG. 4. server com- 
pany 400 does the fottowing. First, server company 400 
generates a pMit^prwsAe key pair, tnckiding private key 
zero. Next, server cmxftds^ 400 generates server code 
480, which chedcs to see that dih&nX code modules 
inckRieac^^ofcer^flcafces, inducing a roc^ c^ttftcate 
signed witti private tey rera Second. s&v&^ company 
400 gener^es a cer^^Hte and a pubRc^privmte key pair 
for each int^mec^dry or <M&i^ company t^^ it desires to 
delegate authority to. Third, it sends tfie certifteate 
signed witfi private key zero and the private key associ- 
ated with the certiftcate to the intermediary or dient 
company, tn the illustrated example, server company 
400 sends <^ntficate X 404 (s^n^ with private key 
zero) arttJ private key X 402 to client comparry X 430. 
Server company 400 additonaHy sends certificate Y 
420 (signed mM\ pri^^te key zero) and private key Y 41 8 
to interm«lfery Y 450. 

[01^ In thB example i&istrated in FIG. 4. c&ent conv 
pany X 4^ generals certiHca^ artd public^^rivate key 
pBks for e^:^ of ^ee proi^te. and pass^ ^e certifi- 
cates and assooated priv^ ks^ to entMes within cli- 
ent company X 430 that are response for producing 
three different client code modules. In particular, client 
conrtpany X 4M passes c^^foate XI 408 (signed vwth 
private key X) and prf\^ key XI 406 to pro}ect XI 432. 
Qient company X 4^ also passes certificate X2 412 
(sij^ied with pr\vBie ksy X) and private key X2 410 to 
prelect X2 434. Qient comply X 430 a£fclttk)nally 
passes certificate X3 416 (signed with |»ivate key X) 
and private key X3 414 to project X3 436. 
f0027] N®ct. each project within dlent company X 430 
creates a code nvxMa In particular, project XI 432 cre- 
ates a code module «8 for prefect XI. Hits code mod- 
ule includes a chain of certificates, including certificate 
X 404 (signed with private key zero) and certfficate XI 
408 (signed with private key X 402). Code nmxlule 438 
also includes code (not shown) tfiat is signed with pri- 
vate key XI 406. Project X2 434 creates code nrKXlule 



440 for project X2. IHs code module includes a chain of 
certificates, including certificate X 404 (signed with pri- 
vate key zero) and certificate X2 412 (signed with pri- 
vate key X 402). Code module 440 also includes code 

5 (not shown) that is signed witfi private key X2 410. 
Project X3 436 creates code module 442 for project X3. 
This code nrKxiule inclines a chain of certiNcates. 
including certificate X 404 (signed with private key zero) 
and certificate X3 416 (signed with private key X 402). 

10 Code module 442 also includes code (not shown) ttet is 
signed with private key X3 414. 
[0028] In the example illustrated in FIQ. 4, intermedi- 
ary Y 450 generates a certificate Z 424 and a publk;, pri- 
vate key pair, including private key Z 422. Intermediary 

15 Y 450 signs certificate Z 424 using private key Y 418 
and passes certificate Z 424 (signed wHh prrvale key Y 
418) along with private key Z 422 to client company Z 
452. 

[0(^9] Client conpany Z 452 creates code module 
20 454 for project Z. which includes a diain of certificates, 
including certificate Y 420 (sigr^ private key ^o) 
and certFficate Z 424 (signed with private key Y 418). 
Code module 454 ateo Ir^udes ccxte ^not shown) thatis 
signed witi private key Z 422. ' 

25 

Defe^^atoft and AtggioTl^on Process 

[90^1 FIQ. 5 is a flow chart iDusta^ng how authoriza- 
tlOT to access a service »s prc^>agated and is ultimately 

30 used gain access to the service in a(XX)rdance wt^ an 
embodiment of tfte present invention. The system starts 
at state 500 and proceeds to state 502. In st^e 502, 
server company 400 (from FIG. 4) creates server code 
460. wfiich chedcs for clients being slgr^ wi^ key 

35 zero. Key zero is associated with a par^cular rote, which 
d^tnes a set of slices that may be performed in the 
role. The system next prooeecte to staie 504. In state 
504. sever conpany 400 o'^tes fbr each dient a r^ 
putsiKi/tarivate key pair ^id a ca'tiHc^e. The system rtext 

40 pr o ceeds to slate 506. In s^e 906. server company 
400 exchanges these certi^:ales and prh^to keys with 
the clients. This exd'iange may involve a transfer of 
mon^ in payment for the use of the service or some 
other contractual consider aUoii. The syslem next pro- 

45 ceecte to state 508. 

In state 508, each cKent cc»npany optionally 
genemtes its own (xibKc^rivate key pairs ami n^hing 
certificates fbr ea<^ client code module tmt is to 
assume the role represented t>y key zera This process 

50 may be rep^ed for numerous levels of clients aand 
intermediaries urrtil a final client that owns the client 
code is reached. The system next proceeds to state 
510. 

(6032] In ^e 510. the final client signs the client 
55 code with ^e last key in the chain arsl pad^ages it with 
all certi fica t e s in the chain. The system next proceeds to 
state 512. In state 512. client code module 122 is down- 
loaded to a third party system 140. which also loads 
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server code module 112 from server company 400. The 
system then proceeds to state 514. 
[0033] In state 51 4, the client code requests access to 
the service stored by the server code by requesting a 
ticket for a role from the system. This role specifies cer- s 
tain operations on the service. The system next pro- 
ceeds to state 516. In state 516. the system checks the 
validity of the request. This is done by examining all cer- 
tificates m the chain and the client code to ensure that 
the certificates and the client code are signed with the io 
proper private keys. This is accomplished by using the 
conresponding public keys to verify signing by the corre- 
sponding private keys. If the request is valid, the system 
returns a ticket to the client. 

[0034] The process of examining the chain of certifi- is 
cates may be carried completely by the server code, or 
completely by neutral code on the third party system. 
Alternatively, a portion of the examination can be car- 
ried out by the system code and a portion carried out by 
the neutral code. For example, the neutral code can so 
examine all of the certificates except the first certificate. 2. 
and the server code can examine the first certificate to 
verify tfiat it is signed by private key zero. The system 
next proceeds to state 518. In state 518. the client code 
passes the ticket to server gate 202 (as was described 2$ 
above with reference to FIQ. 2). Server gate 202 checks 
the validity of the ticket, and if valid, server gate 202 
sends to the client code a permit to access the service 
through the role. The system next proceeds to state 
522. which is an end state. The above-described proc- so 3. 
ess is repeated for each new server code module or cli- 
ent code module that the system desires to create. 
[0035] Note that the above<lescribed process that 
produces a permit for the client code is not strictly nec- 
essary, and may be dispensed with in certain situations. 3S 
If accesses to the sennce are infrequent, the desired 
access can simply be performed without giving the cli- 
ent code a permit for successive accesses. Additionally, 
the permit does not have be passive. It may include, 
among other things, a mechanism to inactivate the per- 4o 
mit after a certain time period, and a mechanism that 
nmintains a log of uses of the permit. It may also include 
mechanisms to ensure the permit has not been revoked 
and to kientify users of the permit. 4. 
[0036] The foregoing descriptions of embodiments of 4S 
the invention have been presented for purposes of illus- 
tration and description only. They are not intended to be 
exhaustive or to limit tfie invention to tfie forms dis- 
closed. Many modifications and variations will be appar- 
ent to practitioners skilled in the art. so 

5. 

Clainns 

1. A method for providing a first computer program 

HKXlule (122) with~~an ability to access a service ss 6. 
from a second computer program module (112), 
comprising: 



receiving the first computer program module 
(122); 

determining whether the first computer pro- 
gram module (1 22) has been digitally signed by 
an authority (204) having power to confer 
access for the service from the second compu- 
ter prograni module (112); 
if the first computer program module (122) has 
been digitally signed by the authority (204) hav- 
ing power to confer access (212, 520) for the 
service, providing tiie first computer program 
module (122) with access to the service; and 
allowing the first computer program module 
(122) and tiie second conputer program mod- 
ule (1 12) to run in the same address space on 
the same computing node, so that the first 
conputer program module (122) can access 
the service from the secorxl conputer program 
module (112). 

The method of claim 1 . wherein the act of determin- 
ing whether the first computer program module 
(122) has been digitally signed by the authority 
(204) having power to confer access for the service, 
includes using a public key associated witii the 
servrce to verify that the first computer program 
nrKXfule (1^) has been digitally signed by a con-e- 
spcwiding private key (312) for the service. 

The method of claim 1 or claim 2. wherein tiie act of 
determining whether the first computer program 
module (122) h^ t^een digitally signed by tiie 
authority having power to confer access for the 
service, includes verifying that the first computer 
program module includes a chain of certificates 
(310) establishing authorisatfon for the service, a 
first certificate (31 2) in tiie chain (31 0) being signed 
by an entity tiiat is originally authorised to confer 
access for the service, and subsequent certificates 
(314-316) in the chain (310) being signed by enti- 
ties (430, 450) that have been delegated autfK>risa- 
tion to confer access (616) for the s^vice. 

The method of any one of claims 1 to 3. wherein tiie 
act of providing the first conputer fa-ogram nrxxlule 
(122) access to the service, includes provkiing 
(212) the first conputer program module with a per- 
mit that allows tiie first conputer program module 
(122) to perform a resti-icted set of sen/ices. 

The method of any one of claims 1 to 4. wherein the 
service is acx;essed tiirough an object defined 
witiiin an object oriented programming system. 

The method of any one of claims 1 to 5. wherein tiie 
first conputer program module (122) include a 
Java Archive file. 
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7. The method of any one of dainns 1 to 6. wherein the 
first computer program module (122) includes com- 
puter code (320) and at least one digital certificate 
(312, 314,316). 

5 

8. The method of any one of claims 1 to 7, wherein 
providing the first conrputer program oKxJute (122) 
with access to the service allows the first computer 
program module (122) to interact with the second 
computer program module (1 1 2). io 

9. The method of claim 8, wherein the first computer 
program module (122) originates from a first server 
(120) arKj is transferred (512) to a computer node 
(140) for execution, and the second computer pro- is 
gram module (112) originates from a second server 
(110) and is transferred (512) to the conputer node 
(140) for execution. 

10. The method of daim 8 or claim 9. wherein the first 20 
server (1 20) and the second server (1 1 0) computer 
are separately located from the computer node 
(140). 

11. The method of any one of daims 1 to 10, wherein 25 
the service includes a plurality of services. 

12. An app^tus tiiat provkles a first computer pro- 
gram module (1 22) with an ability to access a serv- 
ice from a second computer program module (11 2), 30 
comprising: 

a computer node (140); 
a receivrng means, within the computer node, 
that receives tiie first computer program mod- 35 
ute (122); 

a verification means (204), within the computer 
node, that verifies that the first conputer pro- 
gr^ rmxiule (1 22) has t>een digitatty signed by 
an authority having power to con^ access 40 
(212) for the service; 

an access means (202), within the computer 
node, that provides the first computer program 
module (122) with access to the service if the 
first corrputer program mockrie has been digit- 45 
ally signed by the authority having power to 
confer access for tfie service; and 
an execution means, within the computer node 
(140), that allows the first computer program 
module (122) and the second computer pro- so 
gram module (1 12) to run in tfie same address 
space on the same conrputing node, so that the 
first computer program rrodute (122) can 
access the service from the second conrputer 
program module (1 1 2). ss 

13. The apparatus of daim 12, wherein the verification 
means (204) is configured to use a puk>lic key asso- 



dated with the service to verify that the first compu- 
ter program nrodule (122) has been digitally signed 
by a corresponding private Key tor the service. 

14. The apparatus of claims 12 or 13, wherein tiie veri- 
fication means is conf^ured to verify that the first 
computer program module (122) indudes a chain of 
certificates (310) establtshtng authorisation tor the 
service, a first certificale (312) in the chain (310) 
being signed by an entity that is originally author- 
ised to confer s^bss for the service, and subse- 
quent caitficates (314-316) in the diain (310) 
being signed by entities that have been delegated 
authorisation to confer access tor the service. 

15. The apparatus of any one of daims 12 to 14, 
wherein tiie access means (20@) is configured to 
provide the first computer program module (122) 
with a permit that allows the first computer program 
module (122) to perform a r^trtoted set of services. 

16. The ai:paratus of any one of claims 12 to 15, 
wherein the service is accessed through an c^ect 
defined within an btqect oriertfed programming sys- 

tOTl. 

17. The apfi^atus of any one of dainns 12 to 16, 
whe-ein the first computer progmm module (122) 
indud^ a Java Archive file. 

18. The ap)[^ratus of any one of daims 12 to 17, 
wlwein the first conputer program module (122; 
4^; 434; 436; 452) includes conpufe^ code and at* 
1^^ one digital cer^icate (404; ^18; 412; 416; 
424), 

19. The apparatus of any one of Yearns 12 to 18, 
wherein tiie recei^ng m^ns is configured.to trans- 
fer fhe first comfxiter |»t^^m nmMe (t22) from a 
first server (120), and to transfer the second com- 
puter program module (112) from a second server 
(110). 

20. The apparatus of daim 19, wher^ tite first server 
(110) and the secorvJ server (120) are separat 
from the computer node (140). 

21 . The apparatus of daims 1 9 or 20, wherein the serv- 
ice indudes a plurality of services. 

22. A conrputer readable storage medium storing 
instructions that when executed by a computer 
cause the conrputer to perfbrm a metiiod for provid- 
ing a first conputer program nnodulQ (122) with an 
ability to access a service from a second computer 
program nrtodule (112), comprising; 

receiving the first conrputer program tno6u\ 
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(122); 

determining whether the first computer pro- 
gram module (122) has been digitally signed by 
an authority (400) having power to confer 
access for the service from the second compu- s 
ter program module (112); 
If the first computer program module (122) has 
been digitally signed by the authority (400) hav- 
ing power to confer access (212, 520) for serv- 
ice, providing the first computer (u-ogram w 
module with access to the service; arid 
allowing the first computer program module 
(122) and the second computer program mod- 
ule (112) to run in the same address space on 
the same computing node (140), so that the is 
first computer program module (122) can 
acc^s the service from the second computer 
program module (1 1 2). 

23. A computer program module or Java applet (122) 20 
which is able to access a service from a second 
computer program module, comprising; 

a computer code section (320), including com- 
puter code for execution on a computr node to 25 
carry out functions of the first conputer pro- 
gram module; and 

a digital signature section (310). including a 
chain of certificates establishing authorization 
for the service, a first certificate (312) in the 30 
chain being signed by an entity that is originally 
authorized to confer access for the service, and 
subsequent certificates (314,316) in the chain 
bekig signed by erttrties that have been dele- 
gated authorization to confer access for the 35 
service, the digital signature section allowing 
the computer node to determine whether the 
conrputer program module has been granted 
authority to access the service. 

40 

24. A computer program encoding a set of computer 
Instructions for facilitating the provision of a first 
conputer program module (122) with an ability to 
access a service from a second computer program 
module (1 1 2)rwhich when running or a computer is 45 
adapted to perform the method as claimed in any 

on of the claims 1 to 11. 
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